Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1. This Office Action is responsive to the communication filed 8/18/2025.
Claim Status
2. Claims 1 and 8 have currently been amended.
Response to Arguments
3. The applicant’s arguments have been taken into consideration, but are moot in view of the new grounds of rejection.
In response to the applicant’s argument that the cited prior art fails to teach or suggest an SSR that includes information mapping one or more software libraries to common vulnerabilities and enumeration (CVE) List information indicative of one or more identified vulnerabilities in combination with information mapping applications to software libraries used by the applications:
Regarding an SSR that includes information mapping one or more software libraries to common vulnerabilities and enumeration (CVE) List information indicative of one or more identified vulnerabilities, the examiner maintains that the security requirements repository (SRR) (disclosed in par [0039] and [0049] of Kao et al) is obvious in light of the claimed security system repository (SSR) because the SRR disclosed by Kao et al includes all application security requirements used for security analysis used to identify security vulnerabilities (e.g., common vulnerabilities and enumeration (CVE) List information indicative of one or more identified vulnerabilities) and for analyzing source libraries associated with software applications (e.g.,, information mapping applications to software libraries used by the applications) used to identify a plurality of secondary security vulnerabilities.
Claim Rejections – 35 USC 103
4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
5. Claims 1-4, 6-11, and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Kao et al (US 2019/0205542) in view of Sexton et al (US 2020/0366706), further in view of Velur et al (US 2020/0242254).
Regarding claim 1, Kao et al teaches a method comprising:
maintaining a security system repository (SSR) (par [0039], lines 1-0, ‘security requirements repository”) including information mapping one or more software libraries to information indicative of one or more identified vulnerabilities (par [0015], lines 5-10 and par [0049], which disclose analyzing source code libraries associated with software applications for identifying security vulnerabilities); and
information mapping applications to software libraries used by the applications (par [0049], which discloses said source code library being associated with software applications for identifying the security vulnerabilities);
providing one or more library scanning tools configured to scan the one or more software libraries (par [0015], lines 1-10, which discloses scanning source code libraries to determine said vulnerabilities) and provide notifications indicative of one or more new vulnerabilities (par [0050], lines 10-18, which discloses transmitting notifications as new security vulnerabilities are detected); and
generating an SSR catalog indicative of vulnerability information pertaining to the one or more software libraries (par [0050], lines 1-10, which discloses deriving a list of security vulnerabilities and storing detected vulnerabilities in a database containing vulnerability data).
Kao et al does not explicitly teach providing an enhanced plugin module (EPM) configured to consume installed application metadata enabling to produce an inventory indicative of updates to deploy.
However, Sexton et al teaches providing an enhanced plugin module (EPM) configured to consume installed application metadata enabling to produce an inventory indicative of updates to deploy (par [0027] and par [0053], lines 10-13, which disclose a plug-in database providing plug-ins used to check for updates and patches).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Sexton et al within the system disclosed Kao et al in order to provide the predictive result of improving upon determining software library vulnerability issues by executing plugins from a plugin database during security audit scans (as disclosed in par [0053] of Sexton et al), because continuously updating and executing plug-ins for determining potential security threats would allow Kao et al to more efficiently identify new threats that wouldn’t have been identified without updated plug-ins being implemented.
Kao et al and Sexton et al do not explicitly teach maintaining a security system repository (SSR) including information mapping one or more software libraries to common vulnerabilities and enumeration (CVE) list information indicative of one or more identified vulnerabilities and information mapping applications to software libraries used by the applications.
However, Velur et al teaches a security system repository (SSR) (par [0042], lines 1-5, which discloses a baseline repository storing information on a plurality of software libraries) including information mapping one or more software libraries (par [0043], lines 1-5 & 16-22, which discloses particular libraries being mapped to software applications linked to a source repository linked to one of the plurality of software libraries) to common vulnerabilities and enumeration (CVE) list information indicative of one or more identified vulnerabilities (par [0038], lines 8-10, which discloses a list of vulnerable libraries containing CVEs & par [0044], lines 6-12, which disclose mapping repository URI information to the software libraries being used by an application being texted for CVEs).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Velur et al within the teachings of Kao et al and Sexton et al in order to provide the predictive result of improving upon detecting vulnerability and vulnerability management by incorporating test suites for measuring CVE characteristics (as disclosed in par [0057] of Velur et al), within Kao et al and Sexton et al because test suites improve accuracy of measure characteristics of CVE impact for determining vulnerability related to software application code.
Regarding claim 2, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 1.
Kao et al further teaches wherein the vulnerability information included in entries of the SSR catalog comprise one or more of: version information, a common vulnerability scoring system (CVSS) score (par [0117], “CVSS”), and CVE details.
Regarding claim 3, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 1.
Kao et al further teaches updating the SSR catalog responsive to detecting resolution of an identified vulnerability (par [0014], lines 12-20, par [0039], lines 1-5, “security requirements repository”, par [0100], and par [0117], which determined weight based on the severity of each CVE according to the CVSS score”).
Regarding claim 4, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 1.
Kao et al further teaches deploying a fix associated with the resolution to applications that leverage the vulnerable library (par [0014], lines 12-20, which discloses implementing a mitigation plan during deployment to resolve a security threat).
Regarding claim 6, Kao et al does not explicitly teach wherein the installed application metadata includes one or more of: a current security posture of available updates, system level heat maps, fleet level heat maps, and upcoming fixes and functional enhancement timelines.
However, Sexton et al teaches wherein the installed application metadata includes one or more of: a current security posture of available updates (par [0026] and par [0049], “fix has become available”), system level heat maps, fleet level heat maps, and upcoming fixes and functional enhancement timelines.
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Sexton et al within the system disclosed Kao et al according to the motivation disclosed regarding claim 1.
Regarding claim 7, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 1.
Kao et al further teaches providing information technology decision makers (ITDMs) with the identifying information (par [0042], lines 18-24, which discloses the security analysis module used to factor notification information into a decision-making process).
Regarding claim 8, Kao et al teaches an information handling system (fig. 1, ‘100), comprising:
a central processing unit (CPU) (fig. 1, ‘100);
a computer readable memory including processor executable program instructions (fig. 1, ‘100) that, when executed by the CPU, cause the information handling system to perform operations comprising:
maintaining a security system repository (SSR) (par [0039], lines 1-5, ‘security requirements repository”) including information mapping one or more software libraries to vulnerability information indicative of one or more identified vulnerabilities (par [0015], lines 5-10, which discloses analyzing source code libraries for security vulnerabilities); and
information mapping applications to software libraries used by the applications (par [0049], which discloses said source code library being associated with software applications for identifying the security vulnerabilities);
providing one or more library scanning tools configured to scan the one or more software libraries (par [0015], lines 1-10, which discloses scanning source code libraries to determine said vulnerabilities) and provide notifications indicative of one or more new vulnerabilities (par [0050], lines 10-18, which discloses transmitting notifications as new security vulnerabilities are detected); and
generating an SSR catalog indicative of vulnerability information pertaining to the one or more software libraries (par [0050], lines 1-10, which discloses deriving a list of security vulnerabilities and storing detected vulnerabilities in a database containing vulnerability data).
Kao et al does not explicitly teach providing an enhanced plugin module (EPM) configured to consume installed application metadata enabling to produce an inventory indicative of updates to deploy.
However, Sexton et al teaches providing an enhanced plugin module (EPM) configured to consume installed application metadata enabling to produce an inventory indicative of updates to deploy (par [0027] and par [0053], lines 10-13, which disclose a plug-in database providing plug-ins used to check for updates and patches).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Sexton et al within the system disclosed Kao et al in order to provide the predictive result of improving upon determining software library vulnerability issues by executing plugins from a plugin database during security audit scans (as disclosed in par [0053] of Sexton et al), because continuously updating and executing plug-ins for determining potential security threats would allow Kao et al to more efficiently identify new threats that wouldn’t have been identified without updated plug-ins being implemented.
Kao et al and Sexton et al do not explicitly teach maintaining a security system repository (SSR) including information mapping one or more software libraries to common vulnerabilities and enumeration (CVE) list information indicative of one or more identified vulnerabilities and information mapping applications to software libraries used by the applications.
However, Velur et al teaches a security system repository (SSR) (par [0042], lines 1-5, which discloses a baseline repository storing information on a plurality of software libraries) including information mapping one or more software libraries (par [0043], lines 1-5 & 16-22, which discloses particular libraries being mapped to software applications linked to a source repository linked to one of the plurality of software libraries) to common vulnerabilities and enumeration (CVE) list information indicative of one or more identified vulnerabilities (par [0038], lines 8-10, which discloses a list of vulnerable libraries containing CVEs & par [0044], lines 6-12, which disclose mapping repository URI information to the software libraries being used by an application being texted for CVEs).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Velur et al within the teachings of Kao et al and Sexton et al in order to provide the predictive result of improving upon detecting vulnerability and vulnerability management by incorporating test suites for measuring CVE characteristics (as disclosed in par [0057] of Velur et al), within Kao et al and Sexton et al because test suites improve accuracy of measure characteristics of CVE impact for determining vulnerability related to software application code.
Regarding claim 9, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 8.
Kao et al further teaches wherein the vulnerability information included in entries of the SSR catalog comprise one or more of: version information, a common vulnerability scoring system (CVSS) score (par [0117], “CVSS”), and CVE details.
Regarding claim 10, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 8.
Kao et al further teaches updating the SSR catalog responsive to detecting resolution of an identified vulnerability ((par [0014], lines 12-20, par [0039], lines 1-5, “security requirements repository”, par [0100], and par [0117], which determined weight based on the severity of each CVE according to the CVSS score”).
Regarding claim 11, Kao et al, Sexton et al, and Velur et al teach the limitations of claim 8.
Kao et al further teaches deploying a fix associated with the resolution to applications that leverage the vulnerable library (par [0014], lines 12-20, which discloses implementing a mitigation plan during deployment to resolve a security threat).
Regarding claim 13, Kao et al does not explicitly teach wherein the installed application metadata includes one or more of: a current security posture of available updates, system level heat maps, fleet level heat maps, and upcoming fixes and functional enhancement timelines.
However, Sexton et al teaches wherein the installed application metadata includes one or more of: a current security posture of available updates (par [0026] and par [0049], “fix has become available”), system level heat maps, fleet level heat maps, and upcoming fixes and functional enhancement timelines.
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Sexton et al within the system disclosed Kao et al according to the motivation disclosed regarding claim 8.
Regarding claim 14, K Kao et al, Sexton et al, and Velur et al teach the limitations of claim 8.
Kao et al further teaches providing information technology decision makers (ITDMs) with the identifying information (par [0042], lines 18-24, which discloses the security analysis module used to factor notification information into a decision-making process).
Conclusion
Applicant's amendment necessitated the new ground of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RANDY A SCOTT/Primary Examiner, Art Unit 2439
20251021